Identifying security innovation strategies

Tom Quillin is the Director of Cyber Security Technology and Initiatives at Intel Corporation. In this interview he talks about security innovation, current and future threats.

Even though we’ve seen a variety of security technologies appear during the past decade, the rapid evolution and increasing sophistication of the threat landscape ensured a never-ending battle with the bad guys. What can the information security industry do to truly innovate, not just follow the tactics of cybercriminals and, ultimately, act as a giant band aid?
There are many things the information security industry can do to stay ahead of the bad guys through innovation. Here are just five things that would give any organization a head start.

Master the basics: Make sure you start at the endpoint and work your way into a comprehensive layered defense. Keep focus on the importance of disciplined deployment of anti-virus systems, network security, patch management and deployment, etc.

Iron out the seams: The scope and complexity of today’s IT systems require a multitude of security solutions to keep everything safe. Organizations rightly want best-of-breed solutions to protect their domains. At the same time, we can increase risk to the enterprise if we “bolt on” appliance after appliance, solving one unique problem at a time. We can actually increase the odds of error to due misconfiguration or incompatibility if we lose sight of the seams. So it’s important to make sure we’re always integrating and evaluating, to make sure we are ironing out those seams.

Outflank them: There is lots of innovation today in the area of hardware-enhanced security. Where possible, make sure you take advantage of everything your platforms offer in terms of hardware and software-based security. Many security software products out there today work just fine alone, but when collaborating with hardware that provides lower-level security controls and resources, you get a more robust and secure solution.

Encrypt and authenticate everything: When encryption was expensive, we had to prioritize what we protected. Today Moore’s Law has enabled virtually ubiquitous encryption. Tools for everything from build data encryption for data at rest to straightforward protection of data in motion are easily and widely available. Let’s use them. Similarly, let’s expect that identity and authentication will get easier and better. For example, if we harden identity with things like multi-factor authentication, bio-metrics, and federation, we can reduce the dependency on passwords and thereby remove one of the weakest links in the security chain. How often can you say that you have improved the user experience while elevating security? That’s innovation!

Exercise your recovery plans: No one wants to hear it, but bad things will happen. Plan for it. Drill for it – like my elementary school did in St Louis where I grew up, getting us ready for tornadoes! Build resiliency and robust business continuity plans.

Based on your conversations with industry peers, what type of threat scenario keeps them awake at night these days?
The areas of concern for security professionals can be broadly classified into two main categories: 1) Innovation, where you want to say “Yes” while being responsible, and 2) Keep the Business Running (KTBR), where you ensure that you have adequate protections for existing systems.

Regarding innovation, a few major trends are top-of-mind with IT professionals and security practitioners – Big Data, Cloud, SDN and Mobility. While these trends offer tremendous business benefits to organizations that can leverage them, they have the added challenge that LOB wants them ASAP and will work around IT to get them. IT may be willing to provide the capabilities but must ensure their duties to the corporation are met – that is the essence of one of items that keeps them up at night.

In addition, with respect to KTBR, IT needs to ensure that widespread breaches aren’t going to impact them. This means making sure that protections in place are adequately manned, and have appropriate processes in place to succeed in the face of a determined attack, whether launched from a POS terminal or the internet. Basically, do we have the right people trained, are the best tools in place, and are the appropriate processes being followed?

From an IT security perspective, we are anxious about where the breeches will occur, will we respond quickly enough, will we follow our existing security-privacy practices and policies. Are we doing enough to protect our customers’ data, employees’ personal data, our organizations’ data & intellectual property?

How can we make information security ubiquitous for all users on every device?
A great vision! From Intel’s perspective in the industry, it has been exciting to apply Moore’s law to making security measures easier to deploy, more efficient and more hardened. And it’s exciting to see OSVs improving security in devices of all types. But ultimately, ubiquitous information security won’t come from technology alone. It’s going to require user learning and a change in habits, and that may be much more difficult than any technology innovation.

When you look into your crystal ball, what security challenges do you see in the near future? What should we start preparing for?
We need to keep striving for highly resilient and trusted code execution. Today’s curated app stores offer users some security benefits, but we need to assume and plan for malware to break those protections and to escape detection. Which begs the question, how can we create strong isolation and protection for data and credentials in dirty environments? I’m excited that the next few years could bring real advances.

Also we need to complement our security thinking with a commitment to “privacy by design.” Some innovative thinking on this front has come from the Privacy by Design Centre of Excellence. My Intel colleague David Hoffman is an ambassador for the Centre, and David’s comments are very helpful, as are the writings of Ann Cavoukian, Ph.D., founder of Privacy by Design.